Lucene search

K
ibmIBMB971398C9C83E22F3CDA3C319CD1570EC2C14336B77C302FD69047B0146E8A78
HistoryJun 30, 2023 - 12:33 p.m.

Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Tivoli Netcool System Service Monitors/Application Service Monitors (CVE-2022-4304, CVE-2023-0215, CVE-2023-0286,CVE-2022-4450, CVE-2023-0216, CVE-2023-0401, CVE-2022-4203, CVE-2023-0217)

2023-06-3012:33:43
www.ibm.com
26
ibm tivoli
netcool
service monitors
application
openssl vulnerabilities
cve-2022-4450
cve-2023-0216
cve-2023-0401
cve-2022-4203
cve-2023-0217
denial of service

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7

Confidence

High

EPSS

0.006

Percentile

79.4%

Summary

There is a security advisory for openSSL_1.0.2r which is used by IBM Tivoli Netcool System Service Monitors/Application Service Monitors 4.0.1

Vulnerability Details

**CVEID:**CVE-2022-4450 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a double-free error related to the improper handling of specific PEM data by the PEM_read_bio_ex() function. By sending specially crafted PEM files for parsing, a remote attacker could exploit this vulnerability to cause the system to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/246615 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2023-0216 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an invalid pointer dereference related to the incorrect handling of malformed PKCS7 data. A remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/246617 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2023-0401 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference during PKCS7 data verification. A remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/246618 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2022-4203 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a read buffer overrun triggered by the improper handling of X.509 certificate verification. A remote attacker could exploit this vulnerability to cause the system to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/246613 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2023-0217 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference related to the validation of certain DSA public keys. A remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/246619 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Tivoli Netcool System Service Monitors/Application Service Monitors 4.0.1

Remediation/Fixes

Product VMRF APAR Remediation/First Fix
IBM Tivoli Netcool System Service Monitors/Application Service Monitors 4.0.1 SP11 PSIRTs Only https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Tivoli&product=ibm/Tivoli/Netcool+System+Service+Monitor&release=4.0.1.3&platform=All&function=fixId&fixids=4.0.1.3-TIV-SSM-IF0011&includeSupersedes=0&source=fc

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmnetcool\/system_service_monitorMatch4.0.1
VendorProductVersionCPE
ibmnetcool\/system_service_monitor4.0.1cpe:2.3:a:ibm:netcool\/system_service_monitor:4.0.1:*:*:*:*:*:*:*

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7

Confidence

High

EPSS

0.006

Percentile

79.4%